PCI Compliance and PoS Security

If you run a business that processes credit card payments you know the difficulties of PCI compliance. Payment Card Industry Data Security Standard (PCI DSS) is a security standard that applies to any organization that accepts, process or store credit card data. The PCI Standard is mandated by the credit card companies and administered by the Payment Card Industry Security Standards Council which outlines the requirements of PCI compliance. Securing your PoS (Point of Sale) systems isn’t as simple as it may seem on first glance. Most often the largest weaknesses to these PoS systems is way they are deployed, maintained and operated. Deployment and maintenance problems abound — but the most common mistakes are often:

Weak or Default Configuration Issues

Segmentation of PoS Network

Lack of Patch Management

Lack of Anti-malware

Improper Encryption Implementation

Lack of Next Gen Firewalls

Nonexistent IPS

Noncompliance to PCI DSS

These trends identify the risks faced by skilled and determined cybercriminals to breach these systems for their financial gain. The criminal underbelly of the Internet, or Dark web offers a wide array of malware toolkits that aid criminals in the process of breaching systems and networks. The power and complexity of these malware kits rivals the features, functionality and quality of its some of the best software companies in the world. When cybercriminals have seemingly endless motive, opportunity means we have a problem that requires addressing. Doing so requires some of the following be implemented:

Harden Endpoints

Most endpoint default configurations are not up to compliance or even basic security standards. Default configurations such as lax permissions, unnecessary users and default passwords should be locked down to minimize risk. This holds regardless of the type of device, desktop, tablet, smartphone, etc. It is imperative we address this by hardening or improving the security of those systems before we even deploy them.

End to End Encryption

Encryption should be always and everywhere. Data at rest & in motion should be encrypted. Systems (endpoints) should be encrypted and all of their network traffic should be as well. In this day and age, there are 100’s of affordable and easy to deploy options for encrypting data at rest and in transit.

Deploy Patch Management

Patching devices addresses known bugs and vulnerabilities of operating systems and applications. While it is no panacea against a zero day, it does significantly reduce your risks from known vulnerabilities. Patch management is required for ALL devices on your network. This includes your network, smartphones, IoT devices, etc.

Enable MFA (Multi-Factor Authentication)

Multifactor authentication, AKA, MFA, two-factor authentication, two-step verification, TFA, T-FA, or 2FA, is an authentication approach that requires two or more core factors. It requires something you know (your password), something you have (physical authentication token or virtual MFA on a smartphone), and in the case of biometrics, a third physical factor such as your fingerprint, retinal pattern (among other options). Today we have many affordable multi-factor options in hardware and software form. We need not only stick with the tired and insecure single factor password.

Properly Segment Networks

For the same reason a bank doesn’t place it’s money on the street (outside it’s secured building) – we shouldn’t leave our networks unsegmented. We want to attempt to minimize our risk exposure by moving those machines involved in our PoS network to their own network space and secure it in accordingly. Connections to vendors, franchisees, other departments should be restricted to only what is required.

Limit or Block Internet Access

Internet access in PoS systems should be absolutely minimal or non-existent. If the system doesn’t need access it should be restricted or removed. This will reduce the risk of malware infection via, social media, phishing and email.

Deploy an Advanced Next Gen or UTM Firewalls

Firewalls, like all other technologies have undergone a continual evolution. No longer do they simply inspecting protocol/port but now have intelligence and insight into the traffic they filter. Next Generation firewalls and UTM’s offer a variety of features including intrusion prevention, application intelligence, URL filtering, wireless security, and VPN. These advanced features allow us to mitigate many of the risks to our PoS systems.

Deploy & Manage Anti-malware

Anti-malware is another fundamental requirement of compliance. Anti-malware solutions have evolved beyond simple signature based options to take a comprehensive look at behavior and heuristics. Modern anti-malware isn’t a singular panacea but along side these other efforts it can significantly reduce risk exposure.

End User Training

End users should have some basic training policies, procedures and use of technology. End users who are aware of policies and best practices are often more capable of behaving in ways that keep your company secure. Being that many of the breaches and malware have an aspect of social engineering, end user training is never without its benefits.

PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS) is a security standard that applies to any organization that accepts, process or store credit card data. This standard mandates the implementation of technical and audit requirements to protect from a data breach of credit card data. A QSA (Quality Security Assessor) like Evolutionary IT helps companies create a ROC (Report on Compliance) which details compliance status and efforts. Organizations that suffer a data breach can be fined or held liable for losses should they be shown to have not taken adequate security controls. Again, this compliance isn’t a single one time effort but an ongoing effort on the part of the organization.

Holistic Infosec

Security isn’t a singular, uni-dimensional effort. It requires people, process and technology all work in alignment of your efforts. Defense in depth is created only when all of these things are done together. Just like a symphony isn’t any single musician, so too, security efforts are the many facets outlined here working together to produce harmony.

So where are you on your Point of Sale system security? Are you confident in your systems and network? What have you done to lock them down? Please leave a comment below or join our newletter for more info

Joseph P. Guarino has a long history of producing business results with the application of information technology. Joseph's expertise span over 15 years in the private sector at leading technology firms and consulting organization. With Evolutionary IT, he saw a market need to bring his transformative knowledge and expertise to firms in the New England area and worldwide. Joseph is driven by a strong desire to see customer's thrive with the best business solutions. Evolutionary IT evolved out of this desire to bring a new level of quality IT solutions, align them with business goals and give customer's a competitive edge.

2 Responses to "PCI Compliance and PoS Security"

By John January 3, 2017 - 7:20 pm

To strengthen the weaknesses of the PoS systems do you think all staff that uses a PoS systems should be trained in the correct use and how to maintain it, and even explain why so they know the importance of it. I picked up an extra job over Christmas and they had a new PoS systems I have never seen before, and they only recently got it, so no one seemed to have any idea of how to use it correctly… kind of scary!